Unfortunately, the description does not state that the method used to enumerate an accounts list is based on a failed login attempt, though it does seem to imply it. When I see the word enumeration, I think more along the lines of Windows 2000 account enumeration using null sessions. In the case of W2k, a full list of accounts can be enumerated (retrieved in their entirety) using a null session against an AD server as well as a workstation.
See http://www.minasi.com/newsletters/nws0312.htm for what I think of when I see 'account enumeration' Frankly, the other item on the arswiki page concerning remote admin access using a built-in password on misconfigured servers concerns me much more than this. Axton Grams On 1/16/07, Robert Molenda <[EMAIL PROTECTED]> wrote:
** There are several known issues with Mid-Tier (cache ID reuse before cache timeout), not to mention CLIENT, and not to mention all the and others (ODBC, ..), however the only "validation" that this person has was in the message which was returned (which seems to vary from release to release)… Invalid password for user ABC. This does NOT mean you "got into" the system, but got a response that some form of ID "seems to exist". Certain "security classes" will actually tell you it is GOOD to provide the response seeming that the "Account exists but password is invalid", which is easier to detect, because a true h4x0r will then use that account and start the password scans. Other security classes will tell you completely opposite. Is this something to "worry about" – definitely not. IMHO… That is why we use at the web-server "Integrated Windowz Authentication", and then ASP to check the DB and route the user under the covers automagically. In V7 we will be going completely Windowz Domain Controller authentication, so… The bigger issue is that "someone got onto your network" in order to get to mid-tier… Of course for those exposing ARSystem externally, should deploy a strong security model of DMZ, (bla bla..) *Thanks-n-advance*; *HDT Platform Incident / Problem Manager & Architect* Robert Molenda *IT OS PA* Tel: +1 408 501 6310 Fax: +1 408 501 2410 Mobile: +1 408 472 8097 [EMAIL PROTECTED] Quality begins with your actions. ------------------------------ *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *Axton *Sent:* Tuesday, January 16, 2007 3:25 PM *To:* [email protected] *Subject:* Re: Remedy Vulnerability ** Enumeration implies a full list of accounts can be retrieved. This individual seems to have a track record of exploit discoveries: http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0547.html http://www.security-express.com/archives/fulldisclosure/2004-09/0189.html http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0072.html http://www.securitytracker.com/alerts/2004/Feb/1009069.html and on and on... In any case, I've added it to the list on arswiki: http://arswiki.org/wiki/ARS_Vulnerabilities Axton Grams On 1/16/07, *David Yearsley* <[EMAIL PROTECTED]> wrote: ** One of our security people found this website * http://www.securityfocus.com/bid/22066/discuss *and is very. We have not been on version 5.01.02 for sometime and I was wondering if this vulnerability has been address in later version? Thanks for any information. __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___
_______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
